# Football Build Quick Reference

## Build Steps

```bash
# 1. Install dependencies (requires Debian 13 Trixie or later)
sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools

# 2. Generate WireGuard keys
wg genkey | tee client-private.key | wg pubkey > client-public.key

# 3. Edit build.sh with your configuration
nano build.sh
# Set: WG_ENDPOINT_IP, WG_ENDPOINT_PORT, WG_PRIVATE_KEY, WG_PUBLIC_KEY

# 4. Build the image
./build.sh

# 5. Deploy
# For VM:
qemu-system-x86_64 -m 2048 -drive file=output/football-vm.qcow2,format=qcow2

# For physical:
sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress
```

## Key Configuration Variables (in build.sh)

```bash
WG_ENDPOINT_IP="192.0.2.1"        # WireGuard server IP
WG_ENDPOINT_PORT="51820"          # WireGuard server port
WG_PRIVATE_KEY="..."              # Client private key (from wg genkey)
WG_PUBLIC_KEY="..."               # Server public key
```

## File Locations

- Build script: `./build.sh`
- Package list: `config/packages.list`
- Hardening script: `config/harden.sh`
- User config: `chroot-overlay/home/user/`
- System services: `chroot-overlay/etc/systemd/system/`
- WireGuard config: `chroot-overlay/etc/wireguard/`

## Quick Troubleshooting

| Issue | Command |
|-------|---------|
| WireGuard status | `sudo wg show` |
| Firewall rules | `sudo iptables -L -n -v` |
| System logs | `sudo journalctl -xe` |
| Network status | `ip addr show` |

## Security Checklist

- [ ] Generated unique WireGuard keys
- [ ] Changed default password (`changeme`)
- [ ] Verified WireGuard endpoint connectivity
- [ ] Configured Remmina profile for PAW
- [ ] Enabled Secure Boot on physical hardware
- [ ] Tested firewall rules
- [ ] Verified no remote access services running

## File Structure

```
football/
├── build.sh           # Run this to build
├── config/            # Build configuration
├── chroot-overlay/    # System files to overlay
├── output/            # Generated images (created after build)
└── README.md          # Full documentation
```